Samsung has been working on its Tizen OS for quite some time and while it hasn’t worked on phones very well, the company’s work adapting it to televisions and smartwatches has been pretty solid, especially in the case of the latter. However, a new report from Motherboard isn’t too kind to the OS, revealing that it is full of major security vulnerabilities, calling it “a hacker’s dream.”
Nomad case for Pixel 3
If you recall, it was just a couple of weeks ago that Wikileaks revealed that Samsung’s Tizen-powered smart TVs were able to monitor users, but only if one could physically access the TV and install the malware via USB. However, as reported by Motherboard, Tizen’s security holes are far wider than that across form factors.
The article cites a researcher in Israel who has discovered 40 major zero-day vulnerabilities in Tizen that would allow hackers remote access to the millions of Tizen devices around the world. The researcher, Amihai Neiderman, had the following to say regarding Tizen’s security holes:
It may be the worst code I’ve ever seen. Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.
All I can say is, that’s got to hurt…
There are a lot of issues at play here. The largest by far, though, is the Tizen app store. Using the store, Neiderman was able to deliver malicious code to his Samsung smart TV without much difficulty. Since the store has the highest level of clearance on a Tizen device, this is the “Holy Grail” for hackers as it will allow them to “update a Tizen system with any malicious code [they] want.”
Neiderman states that these vulnerabilities are found across all form factors using Tizen, including TVs, smartwatches, and even phones. He says that much of Tizen’s code is borrowed from past Samsung projects, such as Bada, but most of the security issues are found within the newer bits of code. He further states that these are the kind of issues you’d find in code written 20 years ago, showing that Samsung just isn’t keeping up with the times.
He also notes that he tried to contact Samsung several months ago to detail these issues, but only received an automated response. Following the Motherboard article, Samsung quickly got in touch and started work with Neiderman to fix these issues and is reconsidering a wider rollout of Tizen to smartphones given these issues.
We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities. Through our SmartTV Bug Bounty program, Samsung is committed to working with security experts around the world to mitigate any security risks.